Despite Being Anonymous, Hacktivist Sabu Wasn't Hard to Find

Below:

Next story in Security

The most interesting thing about Tuesday's news that the
prominent Anonymous hacker known as Sabu had been cooperating
with the FBI was that his true identity was no surprise.

Since late June of 2011, after his
initial arrest and just about when his LulzSec crew
ended its seven-week hacking campaign, Sabu had been thought
to be a New York man of Puerto Rican ancestry with leftist
leanings. (The original Sabu was a wrestler popular during the
1990s.)

Hector Xavier Monsegur — sometimes spelled as "Montsegur" — was
one of two possible names for Sabu
bandied about the Internet. The other name belonged to a
Portuguese man who sold Monsegur a domain name years ago, and who
was "outed" as Sabu at least once. (SecurityNewsDaily did not
publish Monsegur's name before Tuesday and will not publish the
Portuguese man's.)

In several online postings, enemies of Anonymous such as the
patriotic hacker The Jester (@th3j35t3r on Twitter) and a group
called the Web Ninjas identified Monsegur as Sabu, although The
Jester later leaned toward the Portuguese name.

Members of Anonymous who try to stay secret "fail because they
rely on each other to be effective," The Jester told
SecurityNewsDaily in an online exchange. "This is the reason I
work alone. I can't implicate anyone in my stuff, [and ] vice
versa."

A untitled WordPress blog, which we'll call "Ceaxx"
after its URL, was set up in August by parties unknown that
correctly identified Sabu as Monsegur. It traced his Internet
postings back to 2000, when he posted an impassioned rant about U.S. Navy bomb
testing on the island of Vieques off Puerto Rico.

Ceaxx also linked to Xavier's Security Post, a well-written and
informative blog that Monsegur apparently updated for about
six months in 2006 under the alias "Xavier de Leon."

Both Ceaxx and an anonymous Pastebin posting on June 24,
2011, the day before LulzSec ceased its activities, gave
Monsegur's primary email address as "compromise@gmail.com." A
month later, a different Pastebin posting nailed
Monsegur's full name, though it gave the address of a
different public housing project, this one in East Harlem.

Monsegur's family was even profiled in the New York Times in October
2007 as part of a feature about people who had been barred
from public housing for drug offenses. The Times story said
Monsegur's father, also known as Hector Monsegur, and the
elder Monsegur's sister had been caught and convicted of
dealing heroin in 1997.

According to this week's media reports, the younger Monsegur
continues to live in his grandmother's apartment in the Jacob
Riis Houses on Avenue D in Manhattan's Alphabet City, along with
younger siblings, his girlfriend and his girlfriend's two
children.

Most convincing were the ownership records of the domain name
"prvt.org," which the Portuguese man had sold to Monsegur. During
a couple of public chat sessions with other Anonymous members,
Sabu mentioned that he controlled the domain, which led his
enemies to look up the domain records. On June 25 and 26, The
Jester publicized his findings, which got Monsegur's name and address perfectly.

"Over the past several months, all of the original LulzSec member
except Sabu himself have been arrested. Even though Sabu has been
publicly doxed [identified] and completely owned on several
occasions," read the posting. "You may be asking yourself, why is
he still free? The answer is Intel. The longer he is 'free' is
the longer that the FBI and other LEAs [law enforcement agencies]
can gather information on other hackers and move in for more
arrests. Simple as that."

An FBI official confirmed to SecurityNewsDaily that the
authorities had known Monsegur's name and address long before his
arrest, but waited until they had enough evidence before knocking
on his door.